From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Wed Nov 19 2008 - 03:10:31 ARST
Hi Subfighter,
After labbing it up, and played arround with different settings, I came
to inclusion that IOS is not stable as comes to using NBAR to match http
url !!!!
Nothing is wrong with your original config, I think it's just because
IOS is buggy. Obviously, your modified config, that match-all host
youtube & google, should be changed to match-any. But I am sure, that
change will not fix the problem either.
I later found out that Petr at IE has a good blog on this topic already,
and he also pointed out that using IOS NBAR to filter WWW traffic is not
a best practice. Check it out at
http://blog.internetworkexpert.com/2008/11/04/using-nbar-for-http-url-fi
ltering/
Here's my setup.
Match http url seems to work all right. But Match http host does not.
R1 ------- R3 ------- R2
PC (YouTube)
Rack1R3#
!
class-map match-all TELNET
match protocol telnet
class-map match-any YOUTUBE
match protocol http host "*youtube*"
match protocol http url "*.mov*" ! Just for testing
!
!
policy-map BLOCK_YOUTUBE
class YOUTUBE
drop
class TELNET
drop
interface Serial2/3
desc ****** connected to R2
ip address 155.1.23.3 255.255.255.0
service-policy output BLOCK_YOUTUBE
Rack1R1#ping youtube.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
Rack1R1#telnet youtube.com
Trying youtube.com (150.1.2.2)...
% Connection timed out; remote host not responding
Rack1R3#sh policy-map interface
Serial2/3
Service-policy output: BLOCK_YOUTUBE
Class-map: YOUTUBE (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.mov*"
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: TELNET (match-all)
2 packets, 96 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
drop
Class-map: class-default (match-any)
14 packets, 3028 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: any
Rack1R1#copy cisco@youtube.com/brian_petr_naked.mov">http://admin:cisco@youtube.com/brian_petr_naked.mov null:
%Error opening cisco@youtube.com/brian_petr_naked.mov">http://admin:cisco@youtube.com/brian_petr_naked.mov (I/O
error)
Rack1R1#copy cisco@youtube.com/initial-cfg">http://admin:cisco@youtube.com/initial-cfg null:
Loading http://***********@youtube.com/initial-cfg !
1221 bytes copied in 0.412 secs (2964 bytes/sec)
Rack1R3#sh policy-map interface
Serial2/3
Service-policy output: BLOCK_YOUTUBE
Class-map: YOUTUBE (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.mov*"
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
drop
Class-map: class-default (match-any)
51 packets, 8919 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Rack1R1#copy cisco@youtube.com/brian_petr_naked.mov">http://admin:cisco@youtube.com/brian_petr_naked.mov null:
%Error opening cisco@youtube.com/brian_petr_naked.mov">http://admin:cisco@youtube.com/brian_petr_naked.mov (I/O
error)
Rack1R1#copy cisco@youtube.com/initial-cfg">http://admin:cisco@youtube.com/initial-cfg null:
Loading http://***********@youtube.com/initial-cfg !
1221 bytes copied in 0.412 secs (2964 bytes/sec)
Rack1R1#copy cisco@youtube.com/initial-cfg">http://admin:cisco@youtube.com/initial-cfg null:
%Error opening cisco@youtube.com/initial-cfg">http://admin:cisco@youtube.com/initial-cfg (I/O error)
****** NO CONFIG CHANGE, but as you can see above,
****** sometime access to http://youtube.com/initial-cfg
****** is succesfull, one time, it's NOT.
Rack1R3#sh policy-map interface
Serial2/3
Service-policy output: BLOCK_YOUTUBE
Class-map: YOUTUBE (match-any)
16 packets, 2908 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.mov*"
16 packets, 2908 bytes
5 minute rate 0 bps
drop
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
drop
Class-map: class-default (match-any)
146 packets, 31947 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Rack1R3(config-if)#no service-policy output BLOCK_YOUTUBE
Rack1R3(config-if)#
Rack1R3(config-if)# service-policy output BLOCK_YOUTUBE
Rack1R1#copy cisco@youtube.com/initial-cfg">http://admin:cisco@youtube.com/initial-cfg null:
Loading http://***********@youtube.com/initial-cfg !
1221 bytes copied in 0.420 secs (2907 bytes/sec)
Rack1R1#copy cisco@youtube.com/brian_petr_naked.mov">http://admin:cisco@youtube.com/brian_petr_naked.mov null:
%Error opening cisco@youtube.com/brian_petr_naked.mov">http://admin:cisco@youtube.com/brian_petr_naked.mov (I/O
error)
Rack1R3#sh policy-map interface
Serial2/3
Service-policy output: BLOCK_YOUTUBE
Class-map: YOUTUBE (match-any)
7 packets, 1346 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*.mov*"
7 packets, 1346 bytes
5 minute rate 0 bps
drop
Class-map: TELNET (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol telnet
drop
Class-map: class-default (match-any)
37 packets, 7300 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Administrator
Sent: Wednesday, 19 November 2008 1:32 PM
To: Pavel Bykov
Cc: omar parihuana; ccielab@groupstudy.com
Subject: RE: CBWFQ to block Youtube
So here goes, i gotta say I learned a lot today about qos, still some
issues though ...
!
class-map match-all CRAP
match protocol http host "*youtube.com*"
match protocol http host "*google*"
class-map match-all MAIL
match protocol smtp
class-map match-all TELBET
match protocol telnet
class-map match-all WWW
match protocol http
!
!
policy-map FILTER
class CRAP
set dscp af31
class WWW
set dscp af11
class MAIL
set precedence 3
class TELBET
!
!
!
interface Ethernet0
ip address PUBLIC ADDRESS
ip nat outside
ip virtual-reassembly
half-duplex
service-policy output FILTER
!
!
interface FastEthernet0
ip address PRIVATE ADDRESS
ip nat inside
ip virtual-reassembly
speed auto
!
OK, so I upgraded the IOS I used and connected to a NON DSL link. The
unit now has static pub ip at e0, and private on fa0.
Still running nat. Started to mess with this a bit and made some great
strides in my understanding of QOS.
Still not able to get the youtube or google stuff to hit my class
though.
So i created another class called with www in it, that hits the queue
just fine.
So I added smtp and telnet to test this out, they all hit the queue just
fine.
What am I missing, below is an output showing the queue being hit just
fine, all but the url specific stuff
CCIE_LAB(config-pmap-c)#do sh policy-map int e0 Ethernet0
Service-policy output: FILTER
Class-map: CRAP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube.com*"
Match: protocol http host "*google*"
QoS Set
dscp af31
Packets marked 0
Class-map: WWW (match-all)
269 packets, 143494 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
QoS Set
dscp af11
Packets marked 269
Class-map: MAIL (match-all)
139 packets, 14881 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol smtp
QoS Set
precedence 3
Packets marked 139
Class-map: TELBET (match-all)
14 packets, 805 bytes
5 minute offered rate 0 bps
Match: protocol telnet
Class-map: class-default (match-any)
37569 packets, 19663891 bytes
5 minute offered rate 266000 bps, drop rate 0 bps
Match: any
CCIE_LAB(config-pmap-c)#
CCIE_LAB(config-pmap-c)#
CCIE_LAB(config-pmap-c)#
________________________________
From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Tue 11/18/2008 8:20 PM
To: Administrator
Cc: omar parihuana; ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Did you just paste commands right in the email editor? They don't look
right...
Anyway, steps to enable NBAR are:
1. ip cef <- O.K.
2. ip nbar protocol-discovery <- on interface to classify traffic! you
don't have that!!!
Also, support for NBAR on dialer has been introduced in 12.2T, so make
sure you have not too old IOS.
Recommended change to make sure everything works:
interface FastEthernet0
ip nbar protocol-discovery
service-policy input BLOCK-youtube
and then if
"show policy-map int fa0 input" shows drops on "youtube" class, then try
removing service policy from Fast and see if it works on dialer.
That a bit oldish router, isn't it?
On Wed, Nov 19, 2008 at 2:00 AM, Administrator
<Administrator@subfighter.ca>
wrote:
Here is the config, I have sanitized it a bit ...
!
hostname WOW_1710
memory-size iomem 25
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
class-map match-all TELNET
match protocol telnet
class-map match-all youtube
match protocol http host "*youtube.com*"
!
!
policy-map BLOCK-youtube
class youtube
drop
class TELNET
drop
!
!
!
interface Ethernet0
no ip address
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 10.1.200.200 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
service-policy output BLOCK-youtube
encapsulation ppp
ip tcp adjust-mss 1392
dialer pool 1
dialer-group 1
ppp authentication pap callin
!
ip nat inside source route-map NAT interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 118 permit ip 192.168.1.0 0.0.0.255 any
access-list 118 permit ip 10.1.200.0 0.0.0.255 any
!
route-map NAT permit 10
match ip address 118
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
WOW_1710#
________________________________
From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Tue 11/18/2008 7:42 PM
To: Administrator
Cc: omar parihuana; ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Please post us your show class-map, show policy-map and show run
int x/x
to see how your class-maps are defined, policy-maps and how you
are applying it.
Also, Do you have IP CEF enabled globally? without it it will
not work.
P.S.: Brian, is that monkey talking on the microphone? :) I
think everybody gets spam like that at work all the time. we do. I
wouldn't quite put it in a time killer though.
If someone wanted to waste time, there are whole realms
dedicated to progress your boredom. e.g.: bored.com
On Wed, Nov 19, 2008 at 1:16 AM, Administrator
<Administrator@subfighter.ca>
wrote:
I have entered this exactly, and still things hit the
default-class for some
reason. Is it because I also have nat on the router ?
Does that affect the
configuration someway ?
________________________________
From: omar parihuana [mailto:omar.parihuana@gmail.com]
Sent: Tue 11/18/2008 3:43 PM
To: Administrator
Cc: ccielab@groupstudy.com
Subject: Re: CBWFQ to block Youtube
Try this:
Voice_GW_LAB#sh run class-map
Building configuration...
Current configuration : 81 bytes
!
class-map match-all youtube
match protocol http host "*youtube.com*"
!
end
Voice_GW_LAB#sh run policy-map
Building configuration...
Current configuration : 59 bytes
!
policy-map BLOCK-youtube
class youtube
drop
!
end
Voice_GW_LAB#sh run int f0/1
Building configuration...
Current configuration : 234 bytes
!
interface FastEthernet0/1
...
service-policy output BLOCK-youtube
end
Voice_GW_LAB#
Voice_GW_LAB#sh policy-map interface f0/1
FastEthernet0/1
Service-policy output: BLOCK-youtube
Class-map: youtube (match-all)
27 packets, 29642 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http host "*youtube.com*"
drop
Class-map: class-default (match-any)
15842 packets, 1412490 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Voice_GW_LAB#
On Tue, Nov 18, 2008 at 2:59 PM, Administrator
<Administrator@subfighter.ca>
wrote:
Hi there, I was just doing a lab and thought I
would try something on my
test
DSL connection.
My intent was to block www.youtube.com with QOS
Here is what I have ...
!
class-map match-all YOUTUBE
match protocol http url "www.youtube.com"
!
!
policy-map CBWFQ_SHAPE_OUT
class YOUTUBE
drop
!
!
interface Ethernet0
service-policy output CBWFQ_SHAPE_OUT
!
But for some reason, it doesnt work. I have CEF
enabled. When I do a show
policy-map int e0, it shows everything hitting
the default class-default
I am sure I am missing something simple, but my
QOS skillz are low and am
trying to build them. Thanks !
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST